ZDDC — Zero Day Document Control

What is it?

ZDDC is a convention, not a platform. Every deliverable's filename encodes its tracking number, revision, status, and title; every transmittal folder is date-prefixed and self-describing. A plain shared folder becomes a fully searchable, auditable information-management system — no server, no database, no software required to read the archive.

The four tools below are optional interfaces around this structure. Each is a single self-contained HTML file that works two ways: open it locally and point it at a folder on your disk, or put it behind any web server (including the optional zddc-server described below) and use it over the network. Same on-disk layout either way.

Read the full specification →

Try the tools

Each tool is published in three channels. Stable is versioned and immutable; beta and alpha are mutable previews of in-flight work.

Archive Browser

Browse, search, and filter your project folder. Group by transmittal; filter by tracking number, revision, status, or free text. Export selections as ZIP.

stable beta alpha

Transmittal Creator

Fill in metadata, drag in files, publish a self-contained HTML transmittal record with SHA-256 checksums. Optional digital signatures. The published file is the transmittal record.

stable beta alpha

Document Classifier

Spreadsheet-like interface for bulk-renaming files into ZDDC format. Copy/paste with Excel. Point it at a folder, fill in the columns, save all at once.

stable beta alpha

Markdown Editor

Browser-based markdown editor with live preview, YAML front matter, and table of contents. Direct local file access via the File System Access API.

stable beta alpha

Append ?v=alpha (or ?v=0.0.4, etc.) to any URL to switch versions for a single request — useful for sharing a link to an exact build. Direct local-folder access requires a Chromium-based browser (the File System Access API is unavailable in Firefox / Safari). Browse all versions →

zddc-server (optional)

The tools work two ways over the same on-disk archive. Pick whichever fits your team:

Local directory mode

Open a tool, click Add Directory, point it at a folder. The tool reads files via the File System Access API. No upload, no server, no account.

Enough for individual users and small teams on a shared drive (network share, Dropbox, OneDrive, syncthing).

Online mode

Take the same local directory and put it behind any web server (nginx, Caddy, Apache, or zddc-server). The Archive Browser tool talks to the server's directory listings instead of the local filesystem — read-only, works in any browser.

zddc-server is a small Go binary purpose-built to serve ZDDC archives. Any web server gives you online mode; zddc-server adds things a generic web server can't:

Access control via .zddc files. Behind a reverse proxy that authenticates users and sets an X-Auth-Request-Email request header, zddc-server consults YAML .zddc files in directories — cascading bottom-up; deeper rules override. Common shapes (paired open/closed projects + third-party-restricted vendor folders) are documented with worked examples in the access-control reference. No database, no admin UI.
OPA-compatible policy decider. Federal and other regulated customers can swap the built-in evaluator for an external Open Policy Agent server with their own audited Rego policies — set ZDDC_OPA_URL and the same .zddc files become inputs to your engine instead of ours. Wire format is OPA-canonical (POST /v1/data/zddc/access/allow). Default mode adds zero new dependencies; external mode is a configuration flip.
Designed for regulated environments. Hardened TLS (NIST SP 800-52 Rev. 2 cipher allowlist + HSTS), pluggable policy engine, federal-mode strict-least-privilege Rego shipping out of the box, structured audit logging, documented vulnerability-disclosure process. Specific federal-track work (FIPS-validated build, signed-token proxy↔server channel, code-signed tool fetches) is on a clear roadmap — see the federal compliance page for the supported deployment shape and what an integrator adds during ATO.
Virtual .archive URL space. GET /Project/.archive/123-XYZ.html resolves to the canonical revision file at request time. Computed from filenames; no cache, no separate index file.
Per-request access logging keyed to the authenticated user; conservative HTTP timeouts; optional file-tee for offline audit (production deployments typically leave logs on stdout for the orchestrator's pipeline to handle).
TLS, ETags, conditional GET, CORS, autoindex. The mundane glue.

The on-disk layout is the same in both modes. Stop the server and the directory is still a perfectly valid ZDDC archive that opens in local-directory mode. The server is convenience, not lock-in.

Source, environment-variable contract, and ACL syntax: codeberg.org/VARASYS/ZDDC zddc/. Pre-built binaries are published as Codeberg release assets; example Helm charts (production + dev) live under helm/ in the repo and compile from source at deploy time.

Install on your server

Two paths, no install scripts. The server has built-in fetch-and-cache for the tool HTMLs; the local-file path needs nothing more than a download.

Server: just run zddc-server

The binary has the current-stable build of all five tools baked in at compile time. They appear automatically at the right paths under ZDDC_ROOT:

archive.html at every level (root, project, archive, vendor)
classifier.html in any Incoming, Working, or Staging directory and its subtree
mdedit.html in any Working directory and its subtree
transmittal.html in any Staging directory and its subtree
index.html (the project picker) at the deployment root

ZDDC_ROOT=/srv/zddc ./zddc-server

To override a tool at any path: drop a real .html file there — that file wins over the baked-in version. To pin a different version, write an apps: entry in any .zddc file along the path:

# <project>/.zddc
apps:
  classifier: stable     # or beta / alpha / v0.0.4 / v0.0 / v0
  archive: https://my-fork.example/archive.html

URL sources are fetched once and cached in <ZDDC_ROOT>/_app/. To force a re-fetch, delete the cache file. Closer-to-leaf .zddc entries override parent ones.

Local: just download the .html file

No server, no install — open in any modern browser.

Right-click → Save As. Each tool is a self-contained HTML file with everything inlined; works from file:// or any static host.

Learn more

Technical Reference — the full ZDDC convention: filename format, tracking numbers, revisions, status codes, folder naming, transmittal workflow.
Access control reference — cascade rules, common deployment shapes (paired open/closed projects + third-party-vendor folders), anti-patterns, a five-minute verify-it-works recipe, the federal-readiness gap analysis with NIST control references, and the OPA-compatible decider configuration.
For federal evaluators — non-technical walk-through of what's already in place, the supported deployment shape, what an integrator adds during ATO, and the two-track build plan. Procurement-friendly entry point that links back to engineering detail.
All releases — every version and channel build of every tool, with per-version pin URLs.
codeberg.org/VARASYS/ZDDC — source code, issue tracker, contributor docs.